Deploy your agent to Gemini Enterprise Agent Platform to consistently apply security, governance, and observability settings for your agents. Connect your agent to a BigQuery MCP server for data retrieval and analysis tasks.
This guide helps you understand the Agent Platform with governance application template. You can use this template to quickly deploy your agent, along with its infrastructure and policies, as an application on Google Cloud.
For example, you might implement this template to address the following business needs:
| Example | Business need | Implementation |
|---|---|---|
| Governed data analyst for sensitive financial datasets | A financial services firm needs to use internal datasets to generate reports for analysts. They need to detect PII (Personally Identifiable Information) and detect attempts to bypass internal data access rules. | The agent discovers and queries the financial database using a standardized protocol. Only the agent's specific identity can access the BigQuery tool. A final safety layer automatically scrubs sensitive data and malicious prompts. |
| Regional customer support agent with regional data residency | A global retail brand needs a customer support agent in a specific region to comply with data residency laws. The agent must be isolated so that its traffic only flows through specific, audited regional endpoints. | Regional gateways enforce data residency by pinning traffic to specific locations. Authorization policies provide a zero-trust posture, while all ingress and egress are funneled through regional modules to provide a comprehensive audit trail. |
| Automated content moderator for community forums | A media company needs to scan user-submitted comments and flag them for removal. The company needs to seperate moderation logic from safety policy. | Authorization extensions separate moderation logic from the safety configuration, while Model Armor identifies toxic content. The agent scales automatically on a managed runtime and uses the registry service to interact securely with the dataset. |
Architecture
The following image shows the template components and connections:
The template components are organized in the following layers:
Agent logic execution
- Agent Runtime: hosts the agent logic in a managed serverless environment.
Traffic management
Agent Gateway: a regional proxy that manages incoming traffic and directs requests into the agent environment. The egress component controls how and where the agent sends data or calls external APIs.
Authorization Policy: Helps ensure that requestors have permission for requested actions. The following authorization policies are configured in this template:
- Inbound requests.
- Outbound requests.
- Content validation.
Authorization Service Extensions: provides a programmable hook to inject custom authorization logic into incoming and outgoing traffic flow.
Model Armor Template: inspects the model's input and output to block sensitive data leaks, jailbreak attempts, or toxic content.
Data source connection
Agent Registry service: a centralized catalog that you use to manage, version, and discover tools and services.
Agent Registry MCP server: helps the agent discover and interact with Google Cloud data sources (BigQuery) using a standardized protocol.
Identity-Aware Proxy (IAP) Agent Registry MCP server: connects the Agent Runtime identity to the MCP server.
BigQuery: a dataset and a table used by the agent for data retrieval or analysis.
What's next
- Learn how to deploy or duplicate this template.
- Understand how to customize templates to fit your specific needs.
- Choose your agentic architecture components.